[Note added: 16 March 2017. The Executive Order has been rescinded. However, the analysis of Privacy Act 1974 in the USA is valid. It does not apply to EU nationals and even if it did, the analysis shows that there is very little in the way of privacy protection. It appears to me to be data sharing legislation]
President Trump’s Executive Order (Enhancing Public Safety in the Interior of the United States) has caused controversy over its temporary ban on all Muslims entering the USA from certain countries. It has consequences for data protection.
However, law-firm Hunton and Williams has just published a blog which concludes that “the Order should not impact the legal viability of the Privacy Shield framework” (see references). This conclusion is reached because, in the blog’s view, EU nationals still have access to USA courts by the Judicial Redress Act which is unaffected by the Executive Order (unless this access is revoked by the USA).
I agree with the blog’s conclusions relating to the Judicial Redress Act; however, I am not convinced that this overcomes the main data protection problem associated with this Order.
This is because implementation of this Order requires enhanced data sharing between Federal Agencies in the USA. As this data sharing involves EU nationals it directly raises the question: “whether or not the provisions of USA’s Privacy Act 1974 itself offers an adequate level of protection for transfers of personal data to the USA?”.
In other words, the Executive Order will inevitably focus attention on the quality of protections provided by Privacy Act and not on whether these protections are accessible to EU citizens via Judicial Redress Act.
So what are these protections when there is data sharing? In this blog, I explore them.
President Trump's Executive Order
Section 14 of the Executive Order states that “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information”.
Note that this exclusion relates to data subjects of all visitors and foreign nationals lawfully working in the USA irrespective of nationality.
In addition, there will be increased data sharing of personal data about EU data subjects (permitted by the Privacy Act as we shall see). For instance, Section 4 of the Order “direct agencies to employ all lawful means to ensure the faithful execution of the immigration laws of the United States against all removable aliens” (my emphasis).
One such “lawful means” includes maximising lawful sharing of personal data between Federal Agencies as legitimised by the USA’s Privacy Act.
Section 2(b) of the Order reinforces this increased data sharing impetus as Federal Agencies should “Make use of all available systems and resources to ensure the efficient and faithful execution of the immigration laws of the United States”. Systems and resources obviously include the immense personal datasets now held by Federal Agencies.
The definition of “removable alien” also increases to range of data sharing; a removable alien includes non-USA citizens:
- who engage in “willful misrepresentation in connection with any official matter” (i.e. even if unconnected with immigration);
- who “have abused any program related to receipt of public benefits”; or
- who in “in the judgment of an immigration officer, otherwise pose a risk to public safety”.
Finally, the Order states that is “the policy of the executive branch to empower State and local law enforcement agencies across the country to perform the functions of an immigration officer in the interior of the United States to the maximum extent permitted by law”.
The point being made is that it seems quite easy for any non-USA national to qualify for the status of “potential removable alien”, especially if a large number of officials can investigate any individual if they judge that person to be “a risk to public safety” (whatever that means).
It is these low thresholds that can trigger data sharing which will focus attention to the actual protection afforded by the Privacy Act itself. Additionally, if these protections do not exist (as they do in some disclosure circumstances), then access to them by the Judicial Redress Act is rendered irrelevant.
The USA Privacy Act of 1974
According to the Department of Justice (DoJ) website, the Privacy Act of 1974 establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of personal data processed by Federal Agencies.
Back in 1974, computer technology was largely mainframe based (e.g. a much loved IBM 370 series around the time of my PhD) so at the time of the Privacy Act, much of the detail in personal records, held by Federal Agencies, were in manual form.
Also in data protection terms, 1974 is seven years before Council of Europe Convention (No. 108) of 1981 which is the leading European agreement on Data Protection and just after Younger’s Report into Privacy in 1972 (from which the ubiquitous Data Protection Principles emerged).
The point being made is that, without looking at any text, it would not surprise anybody if the forty-three year old provisions in the USA’s Privacy Act 1974 were found to be out of date. Provisions that were enacted and debated at a time when detailed personal records were manually stored, are now being regularly applied in a wholly different electronic era.
By contrast, most of Europe is enacting its third generation of comprehensive data protection law (i.e. the GDPR) to update the level of data subject protection in an inter-connected world. This alone raises serious doubt as to the adequacy of the level of protection afforded by a 43-year-old piece of legislation.
The DoJ’s own description of the Privacy Act on its website reinforces these doubts (see references). It states that “the Act’s imprecise language, limited legislative history, and somewhat outdated regulatory guidelines have rendered it a difficult statute to decipher and apply” and “Moreover, even after more than forty years of administrative and judicial analysis, numerous Privacy Act issues remain unresolved or unexplored”.
So, in the forthcoming Trumpian era, if data sharing goes wrong, are the European Commission and EU Data Protection Authorities expecting EU Citizens to cover the expense of litigation in the USA Courts in order to deal with the many “unresolved or unexplored” issues the DoJ have identified?
Does this look like “an adequate level of protection” to you? It doesn’t to me.
Data sharing under the Privacy Act
The Privacy Act 1974 requires that Agencies place a public notice about their processing in a Federal Register and prohibits the disclosure of personal data in the absence of written consent of the data subject, unless the disclosure is exempt from the Privacy Act altogether, or unless the disclosure is pursuant to one of twelve statutory exceptions.
As the Executive Order states that Agencies “privacy policies exclude persons who are not United States citizens”, one can assume that details of any data sharing required by the Order will be absent from such policies.
This raises an immediate question: if EU citizens do not know about data sharing because of the Order’s exhortations, how can such persons know that they can use the Judicial Redress Act to access the protection afforded by the Privacy Act with respect to such data sharing? If you have an answer, can you tweet it to @realDonaldTrump?
Three of these dozen conditions mentioned above are relevant to the further use or disclosure of personal data by Federal Agencies. These conditions are:
- "need to know" within an Agency; this allows an Agency to use the personal data for any official purpose (e.g. if they need to know about potential “removable aliens”).
- “routine uses”; this will allow any Federal Agency to use personal data held by other Agencies in the same set of circumstances (i.e. relating to “removable aliens”).
- “law enforcement request”; a senior officer must make the request and specify the requirements. There is no test of prejudice or necessity associated with the request for personal data (e.g. as per the UK Data Protection Act).
It can be seen that the Privacy Act itself is a “flexible friend” from the perspective of a Federal Agency wanting to use or share personal data. For example, with respect to any potential removable alien:
Finally in the section, data sharing for a data matching purpose linked to a law enforcement is not subject to the Privacy Act at all. For example, if a dataset was identified for a data matching purposes in relation to criminal offences or law enforcement associated with removable aliens.
In my view, the Executive Order will inevitably focus attention on the limited privacy protection afforded by the USA’s Privacy Act 1974; I suspect that any detailed analysis of that Act will show that the protection to be patchy and deficient.
It is only a matter of time before an event involving a EU citizen (or European NGO) is raised with a data protection authority. The question is not whether there will be a problem with the Privacy Act 1974, but when such a problem manifests itself in a way that cannot be ignored.
Of course, the Working Party 29 could easily maintain its stance on Privacy Shield (i.e. review Privacy Shield once the GDPR has been implemented and the powers of the European Data Protection Board become available). Such a review has to consider the Privacy Act itself.
For instance, last Friday, EU Justice Commissioner Vera Jourova told the press in Malta that "I need to be reassured that Privacy Shield can remain". Can I use this blog to exhort Ms Jourova to at least ask the right question; it is “whether the USA’s Privacy Act 1974 offers an adequate level of protection for EU Citizens”.
However, the USA is a Third County outside the EEA. If I were a data controller relying on Privacy Shield, I would look at contingency arrangements just in case this Order (or another Trumpian policy) goes horribly pear-shaped. For ideas, see my blog on a Hard Brexit for options (see references).
When Privacy Shield was hurriedly negotiated under President Obama, all the negotiators wanted to extract themselves from a “Safe Harbor” pit, dug for them by the CJEU decision in Schrems. The politicians negotiating the deal were willing to gloss over the actual level of protection afforded by the USA’s Privacy Act of 1974 in order to agree Privacy Shield.
This is not an option given Executive Orders like this; I cannot see how this Privacy Act offers an adequate level of protection.
Indeed, I suspect this was known to be the case with the original Safe Harbor agreement.
Forthcoming Amberhawk’s courses in February/March
- DP Audit 20 February (London)
- GDPR Workshop: 23 February (London)
- DP Foundation Course: Starts 7 March (BCS syllabus; London)
- DP Practitioner Course: Starts 28 March (BCS syllabus; London)
Advanced warning: we have devoted the next UPDATE session on 3rd April 2017 to the GDPR. We have an impressive array of speakers lined up including from ICO and DCMS http://www.amberhawk.com/bookevents.asp
Enhancing Public Safety in the Interior of the United States (Executive Order): https://www.whitehouse.gov/the-press-office/2017/01/25/presidential-executive-order-enhancing-public-safety-interior-united
Hunton and Williams Blog: “Privacy Shield: Impact of Trump’s Executive Order”: https://www.huntonprivacyblog.com/2017/01/28/privacy-shield-impact-of-trumps-executive-order/
The options facing a controller in Privacy Shield are the same as in my blog: “If a hard Brexit a-gonna fall what then happens to overseas transfers of personal data? Replace “hard Brexit” with “Privacy Shield implosion” in the text http://amberhawk.typepad.com/amberhawk/2017/01/if-a-hard-brexit-a-gonna-fall-what-then-happens-to-overseas-transfers-of-personal-data.html
Schrems CJEU decision C362/14: http://curia.europa.eu/juris/documents.jsf?num=c-362/14